Getting ID Verification To Scale

The authentication of a consumer’s digital identity is a critical issue on many levels to everyone in the payments ecosystem — especially the consumer. As the range of available technology to facilitate digital identity authentication grows, so does the problem of getting everyone to agree to a standard that will facilitate widespread growth, security and, notably, interoperability.

In a conversation about the most recent Digital Identity Tracker, powered by Oberthur, MPD CEO Karen Webster and Philipe Andreae, Vice President of Field Marketing, North America, at Oberthur Technologies, discussed the challenges that the industry currently faces in making the authentication of that consumer’s identity simple, strong and scalable.

KW: We uncovered some interesting trends and insights in the most recent edition of the Digital Identity Tracker that I’d like to explore with you.

Let’s start with the cover story, which was an interview I did with a board member at the FIDO Alliance. FIDO’s premise is to get rid of passwords. Is it impossible to secure a password?

PA: It is always possible to secure a password, as long as it contains enough of a variance of letters, numbers and symbols, and is longer than 8 characters in length. The challenge is remembering it, as well as implementing different passwords across the myriad websites and services that you access.

In creating passwords, people typically take something that they can remember because it carries meaning to them. Unfortunately, that usually means it’s also something that someone else — i.e., a hacker — can figure out.

KW: FIDO’s stated purpose is to make the authentication of the consumer’s identity simple, strong and scalable. Seems straightforward enough, yet it also seems very challenging to implement. Why is that?

PA: Part of the reason is number of different Web browsers that people use across an increasing number of devices. On one end, the browsers all have to integrate the security capabilities to be able to accept a password, which can include biometrics, and on the other end, the server has to understand what the browser is doing and accurately prompt it. And that operation has to be facilitated by a business’ IT department.

There are a lot of moving parts, and that’s where FIDO comes in: They can write a set of standards that people in an industry can develop and test within interoperability events.

KW: The interoperability piece is obviously essential, but it’s almost like boiling the ocean — it’s so big. Computers, devices, browsers, operating systems… Where do you start?

PA: You start by getting like-minded people together to hash out the standards, which is what the FIDO Alliance did. It brought together the likes of PayPal, Samsung, IBM, Google, Microsoft, and many, many more competitors — people who are actually going to implement the specifications — working diligently to write them.

The next step is to make those specifications publicly available, so that other people who weren’t part of the development can develop to those standards.

The third piece of the puzzle is to develop a certification framework wherein someone who builds a device can confirm that it will be interoperable with others. There are close to 300 standard bodies working on this.

KW: That’s a lot of people to get to agree on something. What is the time frame for seeing some of these standards emerging and people beginning to adopt them?

PA: It’s already begun to happen. FIDO published a specification called UAF — Universal Authentication Framework. It was immediately adopted by Samsung, PayPal and Alipay; they went to market with the solution and pushed it out into their ecosystem.

There was a second specification called U2F — the Universal 2-Factor Framework. That was adopted by Google. Companies like Yubico and Nok Nok came together and developed, in the context of Google’s services, a mechanism to allow their customers to sell hardware to authenticate people who wanted to access Gmail, Google+ and the like.

I see a resemblance between FIDO and things outside of it, such as Apple’s Touch ID. Bank of America recently announced that they have enabled FIDO on both Apple and Android devices. I’m personally set up to use that with my Samsung phone.

KW: A topic monopolizing the press with regards to authentication is biometrics. Whether it’s your fingerprint, your heartbeat, your smile, your blink, et al…there are a lot of experiments being put into the market that really leverage biometrics. Being so personal, it takes what you own to a whole new dimension.

Do you see biometrics as becoming the de facto way authentication occurs?

PA: It’s going to be one of the more prevalent ways; it’s probably too early to assume it will become de facto.

Bank of America enabled — using my phone and the FIDO standard — the ability of their server to communicate with my device and recognize my fingerprint. My fingerprint is not in the cloud, which is good; the device does my biometric, and I select the one that works for me. The communication between the device and the relying party (the bank, in this case) is FIDO, and the server that the relying party uses to authenticate is based on FIDO. All the bank has to do is know that I am holding the device; they request FIDO’s protocol to give them something that will identify it with relation to my fingerprint.

And I think we’re there. The technology exists; one of the FIDO working groups that’s just recently been formed is called Deployment at Scale. That group is looking at the marketing, the technology and the risk factors to help industries and enterprises see the value, and then be able to deploy rapidly.

KW: “Scalable” and “interoperable” are two key tenets of what FIDO is trying to accomplish. That scheme that you mentioned, using your phone with Bank of America — how do you see that scaling?

PA: It will scale as long as the device manufacturers embrace FIDO, which they currently are, and as long as relying parties recognize the simplicity.

The vendors are building product. We’re doing it; Nok Nok is doing it; our competition is doing it. Companies like PayPal, USAA, and Bank of America are deploying it as a solution, while ING, American Express, Discover, MasterCard and Visa are all trying to figure out how to use it for various applications. And it’s being built in such a way that can deal with both high-risk and low-risk scenarios.

As new devices are manufactured and as new digital commerce applications are architected, they’re done so according to the standard — and it propagates. That’s how it gets to scale.

KW: What happens when someone steals your fingerprint?

That used to be a hypothetical, but, as we’ve discovered from the government OPM (Office of Personnel Management) hacking, it’s actually a reality. Almost 6 million fingerprints were stolen. That’s like stealing your Social Security number; you’ve only got one and it’s very unique to an individual. It’s a little scary.

PA: This is where we at OT are firmly of the belief that things like this should be held in the card, in the phone that is carried by the consumer. The idea of putting everything that is “me” in the cloud harkens back to George Orwell. Big Brother will watch if you give him the right to watch.

I think we as consumers have to take back the ownership of our identity and insist that it be secured in something that we hold — something that’s ours, not something that we have to trust someone else to protect.

KW: I know that Oberthur is very involved in so many dimensions of this conversation. What’s been the topic recently, as you’ve talked with people about reliably authenticating the consumer’s identity?

PA: We were at the University of Pittsburgh a couple of weeks ago, along with our banking partner PNC, talking with 29 universities about how to link payments to campus identity. Contactless, smart card-based solutions can be applied that would give students secure access to campus buildings, and they would also have EMV.

We’ve also been talking to several states about using the PIV application as the first responder identity in emergency situations, and combine it with a prepaid payment application.

Another thing we’ve spent a lot of time on is debit, and the issue of signature debit, PIN debit, and the migration of EMV into the U.S. market. John Drechny, of Walmart, recently told the audience at a conference that he’s got the incremental cost of EMV in time down to two-tenths of a second.

We’re talking about putting debit and credit on the same card, and we’re talking about the value of offline authentication, so that the merchant is able to know it’s a good card even though they’re not necessarily able to authorize the transaction in real time.

Medicare and Medicaid is an ongoing conversation… We are still pushing in Washington, D.C., and at the state level to get people to understand that we need to secure that environment, and that there are existing tools so that we don’t have to reinvent the wheel.

To download the September edition of the Digital Identity Tracker, click here.